PHP :: Bug #62488 :: Invalid bcrypt hash

Bug #62488

Invalid bcrypt hash

Submitted:

2012-07-06 03:06 UTC

Modified:

2020-09-18 09:18 UTC

Votes:	8
Avg. Score:	4.6 ± 0.7
Reproduced:	7 of 7 (100.0%)
Same Version:	4 (57.1%)
Same OS:	2 (28.6%)

From:

smt837784 at yahoo dot com

Assigned:

cmb (profile)

Status:

Closed

Package:

*Encryption and hash functions

PHP Version:

5.3.14

OS:

Fedora 16 (3.3.4-1.fc16.x86_64)

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	smt837784 at yahoo dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2012-07-06 03:06 UTC] smt837784 at yahoo dot com

Description:
------------
If the salt is less than 128 bits (22 characters in base 64) it is padded with "$" instead of ".". Which is an invalid bcrypt hash.

Test script:
---------------
echo crypt('', '$2y$04$......................') . '<br>';
echo crypt('', '$2y$04$....') . '<br>';
echo crypt('', '$2y$04$....$$$$$$$$$$$$$$$$$.'); // keep backwards compatibility

Expected result:
----------------
$2y$04$......................w74bL5gU7LSJClZClCa.Pkz14aTv/XO
$2y$04$......................w74bL5gU7LSJClZClCa.Pkz14aTv/XO
$2y$04$....$$$$$$$$$$$$$$$$$.w74bL5gU7LSJClZClCa.Pkz14aTv/XO

Actual result:
--------------
$2y$04$......................w74bL5gU7LSJClZClCa.Pkz14aTv/XO
$2y$04$....$$$$$$$$$$$$$$$$$.w74bL5gU7LSJClZClCa.Pkz14aTv/XO
$2y$04$....$$$$$$$$$$$$$$$$$.w74bL5gU7LSJClZClCa.Pkz14aTv/XO

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-01-21 02:28 UTC] daniel at heath dot cc

Allowing these '$' characters without reporting any errors is confusing; these 
hashes cannot be decoded by any standard-compliant implementation of bcrypt.

[2020-09-18 09:18 UTC] cmb@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb

[2020-09-18 09:18 UTC] cmb@php.net

This issue is resolved as of PHP 5.5.0: <https://3v4l.org/u6MPZ>.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Dec 26 18:01:31 2024 UTC